aeo-system
v1.0.0Answer Engine Optimization — get AI assistants to recommend your brand. Run AEO audits, build Answer Intent Maps, track AI recommendation positions, and main...
⭐ 0· 368·1 current·1 all-time
byBatsirai Chada@batsirai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (AEO audits, intent maps, tracking AI recommendations) legitimately requires querying AI APIs and writing reports, which the included Node script and templates implement. However, the registry metadata claims 'Required env vars: none' while SKILL.md and the script require/expect PERPLEXITY_API_KEY (required), OPENAI_API_KEY (optional), and recommend BRAVE_API_KEY. That registry vs runtime mismatch is an incoherence that could mislead users about what secrets they'll need to provide.
Instruction Scope
SKILL.md instructs the agent to query external AI services (Perplexity and OpenAI), fetch/analyze brand websites, run schema/Rich Results checks, and produce files in the working directory. The included script performs HTTPS requests to api.perplexity.ai and api.openai.com and writes JSON/Markdown outputs. The instructions also reference manual checks (Google Merchant Center, GA4) and a 'browser fallback' for Claude/Gemini which are vague and leave room for human interaction or ad-hoc scraping. There are no instructions to read unrelated system files or exfiltrate environment variables; network and filesystem use is explicit.
Install Mechanism
No install spec — instruction-only skill with a Node.js script. This has a low install risk because nothing is downloaded or executed automatically beyond the included script. The script is plain JS using https/fs; no obfuscated or remote install steps were found.
Credentials
Requiring PERPLEXITY_API_KEY and optionally OPENAI_API_KEY is proportionate to querying those services. BRAVE_API_KEY is plausible for web-based checks but is less standard (clarify what 'BRAVE_API_KEY' refers to). The concern is the mismatch between the registry (no env vars declared) and SKILL.md/script (which require keys). That mismatch reduces transparency about what credentials will be requested. No unrelated or excessive environment variables are requested by the code itself.
Persistence & Privilege
The skill is not forced-always (always:false) and does not request elevated system or cross-skill privileges. It writes audit reports and data to the working directory (normal for this functionality) and does not modify other skills or global agent configuration.
What to consider before installing
This skill appears to implement what it claims (AEO audits, answer-intent maps) and its Node script calls Perplexity and OpenAI endpoints and writes local reports. Before installing or running it: 1) Do not assume the registry metadata is authoritative — SKILL.md and the script expect PERPLEXITY_API_KEY (required) and optionally OPENAI_API_KEY; the registry not listing env vars is an inconsistency to clarify with the author. 2) Only provide API keys scoped appropriately (use limited/rotating keys where possible); do not give Google Merchant Center, GA4, or other platform credentials to the skill as an automated secret—those steps are documented as manual in SKILL.md. 3) Review scripts/answer-intent-map.js yourself (or have a developer do so) to confirm there are no additional remote endpoints; the script uses api.perplexity.ai and api.openai.com only. 4) Run the script in an isolated environment (container/VM) if you plan to use your real API keys, and consider rate limits/costs for queries. 5) Ask the publisher to fix registry metadata to explicitly declare required environment variables and document what BRAVE_API_KEY refers to. If you need help verifying the code or limiting exposure, get a developer to audit the script before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97721x0evqkzd20yamqn7sx8x81yfrr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.